Foundations of Computer SecurityLecture 56: Cryptographic ProtocolsDr. Bill YoungDepartment of Computer SciencesUniversity of Texas at AustinLecture 56: 1 Cryptographic ProtocolsThought ExperimentConsider the following scenario:Your friend Ivan lives in a repressive country where the policespy on everything and open all the mail.You need to send a valuable object to Ivan.You have a strongbox with a hasp big enough for severallocks, but no lock to which Ivan also has a key.How can you get the item to Ivan securely?Lecture 56: 2 Cryptographic ProtocolsA Possible AnswerYou might take the following sequence of steps:1Put the item into the box, attach your lock to the hasp, andmail the box to Ivan.2Ivan adds his own lock and mails the box back to you.3You remove your lock and mail the box back to him. He nowremoves his lock and opens the box.The procedure just described could be regarded as a protocol—astructured dialog intended to accomplish somecommunication-related goal.Lecture 56: 3 Cryptographic ProtocolsWhat’s This Got to do with Computing?What goal: To send some content confidentially in the context ofa hostile or untrustworthy environment, when the two parties don’talready share a secret/key.You could implement the “same” protocol to send a messageconfidentially across the Internet. Here,the valuable thing is the contents of a secret message;the locks are applications of some cryptographic algorithmwith appropriate cryptographic keys.But for this to work in the computing world there’s a particularfeature that the ciphers have to satisfy. Can you see what it is?Lecture 56: 4 Cryptographic ProtocolsWhat is the Property?Imagine that instead of putting another lock on the hasp, Ivan putsyour lockbox inside another locked box. The protocol no longerworks; you can’t reach inside his box to take off your lock in step 3.On-line, you’d have to be able to “reach inside” his encryption toundo yours. One way this would be true is if the ciphers commute.{{M}k1}k2= {{M}k2}k1Most encryption algorithms don’t have this property. But one thatdoes is: exclusive or (XOR) your message with a randomlygenerated string (key) of the same length.Lecture 56: 5 Cryptographic ProtocolsSo Here’s the ProtocolLet Kabe a random string generated by A, and Kbbe a randomstring generated by B, both Kaand Kbof the same length as M.1A → B : M ⊕ Ka2B → A : (M ⊕ Ka) ⊕ Kb3A → B : ((M ⊕ Ka) ⊕ Kb) ⊕ Ka)In step 3, the two applications of Ka“cancel out,” leaving(M ⊕ Kb), which B can easily decrypt with his own key Kb.Lecture 56: 6 Cryptographic ProtocolsWhoops!This is effectively using the one-time pad, so should be very strong.Right?Even though the one-time pad is a theoretically unbreakablecipher, there’s a good reason it’s called “one-time.” Our protocolis fundamentally flawed. Can you see why?1A → B : M ⊕ Ka2B → A : (M ⊕ Ka) ⊕ Kb3A → B : ((M ⊕ Ka) ⊕ Kb) ⊕ Ka)An evesdropper who stores the three messages can XORcombinations of them to extract any of M, Ka, and Kb. Verify thisfor yourself.Lecture 56: 7 Cryptographic ProtocolsLessonsCryptographic protocols accomplish security-related functionsvia a structured exchange of messages.They are very important to security on the Internet.They are difficult to design and easy to get wrong in subtleways.Next lecture: Cryptographic Protocols IILecture 56: 8 Cryptographic
View Full Document